cihar

Hi, I have the same alert from Wordfence, but I am not sure if it is after the Updraft update, because few hours before I found up in StatComm suspicious behaviour from
IP address 198.27.65.153[ss2.cloudeh.com]:

URL:	http://www.mysite.cz/pma/scripts/setup.php/
Type:	Page not found
Referrer:	http://mysite.cz/pma/scripts/setup.php
Full Browser ID:	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Time:	13 hours 11 mins ago -- Mon, 03 Feb 14 22:02:17 +0000 -- 1391464937.260435 in Unixtime
Secs since last hit:	2.2778
URL:	http://www.mysite.cz/pma/scripts/setup.php/
Type:	Normal request
Referrer:	http://mysite.cz/pma/scripts/setup.php
Full Browser ID:	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Time:	13 hours 11 mins ago -- Mon, 03 Feb 14 22:02:14 +0000 -- 1391464934.982625 in Unixtime
Secs since last hit:	0.0000
URL:	http://www.mysite.cz/myadmin/scripts/setup.php/
Type:	Page not found
Referrer:	http://mysite.cz/myadmin/scripts/setup.php
Full Browser ID:	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Time:	13 hours 11 mins ago -- Mon, 03 Feb 14 22:02:14 +0000 -- 1391464934.982625 in Unixtime
Secs since last hit:	2.3332
URL:	http://www.mysite.cz/myadmin/scripts/setup.php/
Type:	Normal request
Referrer:	http://mysite.cz/myadmin/scripts/setup.php
Full Browser ID:	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Time:	13 hours 11 mins ago -- Mon, 03 Feb 14 22:02:12 +0000 -- 1391464932.649379 in Unixtime
Secs since last hit:	0.0000
URL:	http://www.mysite.cz/phpMyAdmin/scripts/setup.php/
Type:	Page not found
Referrer:	http://mysite.cz/phpMyAdmin/scripts/setup.php
Full Browser ID:	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Time:	13 hours 11 mins ago -- Mon, 03 Feb 14 22:02:12 +0000 -- 1391464932.649379 in Unixtime
URL:	http://www.mysite.cz/phpMyAdmin/scripts/setup.php/
Type:	Normal request
Referrer:	http://mysite.cz/phpMyAdmin/scripts/setup.php
Full Browser ID:	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

and than the Wordfence sent an alert:

Issue

This file may contain malicious executable code

Filename:	www.wordpress.cz/wp-includes/post.php
File type:	Not a core, theme or plugin file.
Issue first detected:	14 mins ago.
Severity:	Critical
Status	New

This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'urldecode' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.
Tools: View the file. Delete this file (can't be undone).
  Select for bulk delete
Resolve: I have fixed this issue Ignore until the file changes. Always ignore this file.

This file may contain malicious executable code

Filename:	www.wordpress.cz/wp-admin/includes/class-pclzip.php
File type:	Not a core, theme or plugin file.
Issue first detected:	14 mins ago.
Severity:	Critical
Status	New

This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'unpack' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.
Tools: View the file. Delete this file (can't be undone).
  Select for bulk delete
Resolve: I have fixed this issue Ignore until the file changes. Always ignore this file.

This file may contain malicious executable code

Filename:	www.wordpress.cz/wp-includes/class-simplepie.php
File type:	Not a core, theme or plugin file.
Issue first detected:	14 mins ago.
Severity:	Critical
Status	New

This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'base64_decode' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.
Tools: View the file. Delete this file (can't be undone).
  Select for bulk delete
Resolve: I have fixed this issue Ignore until the file changes. Always ignore this file.

This file may contain malicious executable code

Filename:	www.wordpress.cz/wp-includes/class-snoopy.php
File type:	Not a core, theme or plugin file.
Issue first detected:	14 mins ago.
Severity:	Critical
Status	New

This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'urldecode' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.
Tools: View the file. Delete this file (can't be undone).
  Select for bulk delete
Resolve: I have fixed this issue Ignore until the file changes. Always ignore this file.

This file may contain malicious executable code

Filename:	www.wordpress.cz/wp-includes/class-wp.php
File type:	Not a core, theme or plugin file.
Issue first detected:	14 mins ago.
Severity:	Critical
Status	New

This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'urldecode' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.
Tools: View the file. Delete this file (can't be undone).
  Select for bulk delete
Resolve: I have fixed this issue Ignore until the file changes. Always ignore this file.

This file may contain malicious executable code

Filename:	www.wordpress.cz/wp-admin/press-this.php
File type:	Not a core, theme or plugin file.
Issue first detected:	14 mins ago.
Severity:	Critical
Status	New

This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'urldecode' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.
Tools: View the file. Delete this file (can't be undone).
  Select for bulk delete
Resolve: I have fixed this issue Ignore until the file changes. Always ignore this file.

This file may contain malicious executable code

Filename:	wp-content/plugins/updraftplus/updraftplus.php
File type:	Not a core, theme or plugin file.
Issue first detected:	14 mins ago.
Severity:	Critical
Status	New

This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'unpack' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.
Tools: View the file. Delete this file (can't be undone).
  Select for bulk delete
Resolve: I have fixed this issue Ignore until the file changes. Always ignore this file.

This file may contain malicious executable code

Filename:	wp-content/plugins/wp-super-cache/wp-cache.php
File type:	Not a core, theme or plugin file.
Issue first detected:	14 mins ago.
Severity:	Critical
Status	New

This file is a PHP executable file and contains the word 'eval' (without quotes) and the word 'base64_decode' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.
Tools: View the file. Delete this file (can't be undone).
  Select for bulk delete

[Moderator Note: Please post log files between backticks or use the code button.]

So I am afraid that the site is hacked

cihar

I am writing here because I did not find relevant solution in Better WP Security
which topic has been closed to new replies.